Skip to main content
Blog
Reading time: 
5
min

Supply Chain Alert: The Salesloft Drift Breach Exposes OAuth Integrations Across Hundreds of Organizations

September 4, 2025
Table of Contents
Share this article

What Happened

Attackers—believed to be the financially motivated group tracked as UNC6395—exploited OAuth and refresh tokens from Salesloft Drift and Drift Email integrations to infiltrate downstream systems. Initially impactingSalesforce environments, the reach quickly expanded to Google Workspace, and potentially beyond.

Google revealed that tokens for the Drift Email integration were also compromised, granting access to email accounts in a limited number of Google Workspace environments—though core Google systems remained intact.

Affected Organizations

Early disclosures confirmed 700+ organizations compromised via Salesforce integrations. Among the publicly named victims are major cybersecurity and cloud tech firms.

  • Zscaler: Exposed contact names, emails, job titles, product licensing, and support case content. No evidence of misuse, but additional security protocols enacted.
  • Cloudflare: 104 API tokens stolen; data mostly centered on support case details and customer contacts. Tokens were rotated swiftly .
  • Palo Alto Networks: Exposed contact info, sales account data, and case records. No services compromised beyond the CRM platform .
  • Other victims include Tanium, SpyCloud, PagerDuty, and more. 

Dates & Events

Aug 8–18, 2025

Initial exfiltration via OAuth tokens from Salesforce and possibly beyond.

Aug 20

Salesloft & Salesforce revoked Drift tokens and pulled the app from AppExchange.

Aug 26–28

Google disclosed widespread theft, noting compromised Workspace tokens.

Early Sept

Zscaler, Cloudflare, Palo Alto—public disclosures begin to surface.

Ongoing

Investigations expand; Salesloft collaborates with Mandiant, Google Cloud, and cyber insurer Coalition.

RootCause & Attack Strategy

Attackers abused trusted OAuth connections from the Drift platform to customer SaaS systems—without breaching the core platforms themselves.

They executed stealthy SOQL queries across Salesforce objects (Accounts, Users, Cases), exfiltrating sensitive data like AWS keys, Snowflake tokens, and passwords.

In some instances, they erased query jobs to avoid detection.

Industry and Security Response

  • Google’s GTIG: Urged all Drift users to treat every authentication token as potentially compromised, and revoke/rotate tokens immediately.
  • Salesforce: Disabled all Drift integrations until further notice and urged admins to investigate their environments.
  • Salesloft: Revoked tokens, working with Mandiant, Google Cloud IR, and Coalition to assess impact. Also recommending customers revoke and  rotate API keys.
  • Victim firms: Rotated compromised tokens, upgraded third-party risk protocols, and raised customer phishing defense awareness. No evidence of direct misuse—but the potential risk remains high

Key Takeaways for Businesses

  1. SaaS Integration Risk: Third-party connectors—even those with  trusted apps—can open unintended breach paths.
  2. Token Hygiene Matters: OAuth and API keys must be regularly audited,  revoked, and rotated when threats arise.
  3. Comprehensive Monitoring: Security teams need visibility over all integrations—especially AI or new tools—with real-time alerting.
  4. Swift Incident Response is Vital: Buffer time is the enemy in supply-chain assaults. Immediate token revocation, customer notifications, and external investigations are critical.
  5. Plan for AI/Emerging Tools: As companies deploy AI for workflows, defense strategies must adapt to more rapid and automated attack surfaces.
A black and white logo for the AICPA.
© 2025 All rights are reserved
PRIVACY POLICY
TERMS OF SERVICE
© 2025 All rights are reserved
PRIVACY POLICY
TERMS OF SERVICE